{"api_version":"1","generated_at":"2026-04-22T20:52:16+00:00","cve":"CVE-2021-28363","urls":{"html":"https://cve.report/CVE-2021-28363","api":"https://cve.report/api/cve/CVE-2021-28363.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28363","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28363"},"summary":{"title":"CVE-2021-28363","description":"The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-15 18:15:00","updated_at":"2023-11-07 03:32:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://pypi.org/project/urllib3/1.26.4/","name":"https://pypi.org/project/urllib3/1.26.4/","refsource":"CONFIRM","tags":[],"title":"urllib3 · PyPI","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r","name":"https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r","refsource":"CONFIRM","tags":[],"title":"Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection · Advisory · urllib3/urllib3 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0","name":"https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0","refsource":"CONFIRM","tags":[],"title":"Merge pull request from GHSA-5phf-pp7p-vc2r · urllib3/urllib3@8d65ea1 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/","name":"FEDORA-2021-3f378dda90","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: python-pip-21.0.1-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/","name":"FEDORA-2021-3f378dda90","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: python-pip-21.0.1-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202107-36","name":"GLSA-202107-36","refsource":"GENTOO","tags":[],"title":"urllib3: Multiple vulnerabilities (GLSA 202107-36) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","name":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202305-02","name":"GLSA-202305-02","refsource":"GENTOO","tags":[],"title":"Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/urllib3/urllib3/commits/main","name":"https://github.com/urllib3/urllib3/commits/main","refsource":"MISC","tags":[],"title":"Commits · urllib3/urllib3 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28363","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28363","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28363","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28363","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.59","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28363","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"urllib3","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28363","qid":"179631","title":"Debian Security Update for python-urllib3 (CVE-2021-28363)"},{"cve":"CVE-2021-28363","qid":"281095","title":"Fedora Security Update for python (FEDORA-2021-3f378dda90)"},{"cve":"CVE-2021-28363","qid":"352387","title":"Amazon Linux Security Advisory for python-pip: ALAS2-2021-1667"},{"cve":"CVE-2021-28363","qid":"353121","title":"Amazon Linux Security Advisory for python-pip : ALAS2-2022-1742"},{"cve":"CVE-2021-28363","qid":"375970","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUOCT2021)"},{"cve":"CVE-2021-28363","qid":"501771","title":"Alpine Linux Security Update for py3-urllib3"},{"cve":"CVE-2021-28363","qid":"504335","title":"Alpine Linux Security Update for py3-urllib3"},{"cve":"CVE-2021-28363","qid":"710032","title":"Gentoo Linux urllib3 Multiple vulnerabilities (GLSA 202107-36)"},{"cve":"CVE-2021-28363","qid":"710714","title":"Gentoo Linux Python, PyPy3 Multiple Vulnerabilities (GLSA 202305-02)"},{"cve":"CVE-2021-28363","qid":"980343","title":"Python (pip) Security Update for urllib3 (GHSA-5phf-pp7p-vc2r)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28363","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/urllib3/urllib3/commits/main","refsource":"MISC","name":"https://github.com/urllib3/urllib3/commits/main"},{"refsource":"FEDORA","name":"FEDORA-2021-3f378dda90","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"},{"refsource":"GENTOO","name":"GLSA-202107-36","url":"https://security.gentoo.org/glsa/202107-36"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"refsource":"CONFIRM","name":"https://pypi.org/project/urllib3/1.26.4/","url":"https://pypi.org/project/urllib3/1.26.4/"},{"refsource":"CONFIRM","name":"https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0","url":"https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0"},{"refsource":"CONFIRM","name":"https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r"},{"refsource":"GENTOO","name":"GLSA-202305-02","url":"https://security.gentoo.org/glsa/202305-02"}]}},"nvd":{"publishedDate":"2021-03-15 18:15:00","lastModifiedDate":"2023-11-07 03:32:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*","versionStartIncluding":"1.26.0","versionEndExcluding":"1.26.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28363","Ordinal":"203530","Title":"CVE-2021-28363","CVE":"CVE-2021-28363","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28363","Ordinal":"1","NoteData":"The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28363","Ordinal":"2","NoteData":"2021-03-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28363","Ordinal":"3","NoteData":"2021-10-20","Type":"Other","Title":"Modified"}]}}}